On 5/12/06, Alexander Schaber <uranellus at gmx dot net> wrote:
>
> But I'm not exactly sure how to set up the firewall rule on the m0n0 box
> set in order to fit my needs:
>
> * Allowing Traffic from the classroom subnets (205,202,204,210) to
> the backbone
Put in an appropriate rule on each OPT interface permitting that IP
subnet to the backbone network.
> * Blocking Traffic between the subnets (e.g. 192.168.202.0/24 cannot
> access 192.168.168.204.0/24)
In this case, you'll probably want to permit traffic to the Internet,
so you'll probably want to end with a "permit any any" rule. So, on
each OPT interface, put in a permit rule for 192.168.0.0/24, then I'd
put in a deny any to destination 192.168.0.0/16 after that (rules are
first match, processed top to bottom). Then follow that with a permit
all any to any, if you need to let Internet access through (ideally
you'd put a proxy server on your backbone subnet, and only allow the
clients to talk to that proxy server, and let it talk out to the
Internet).
> * Allowing DNS, HTTP(S) from the WAN interface.
>
Put in a firewall rule on the WAN allowing HTTPS from the appropriate
source IP's.
> Is it a good idea to also NAT the classroom subnets 205,202,204,210 ?
>
If your backbone network is indeed private IP's as you show, I would
disable NAT on the m0n0wall in that picture (see the FAQ for info on
that).
-Chris